NordVPN Promotion

Home / Blogs

Trust Isn’t Easy: Drawing an Agenda from Friday’s DDoS Attack and the Internet of Things

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of Service (DDoS) attack that took down major websites including Twitter, Amazon, Netflix, and more. In a recent blog post, security expert Bruce Schneier argued that “someone has been probing the defences of the companies that run critical pieces of the Internet”. This attack seems to be part of that trend.

This disruption begs the question: Can we trust the Internet?

The answer to that question is not yes, or no, or even “it depends.”

First, it is important to realise that there is no security czar on the internet; there is nobody who can force the global Internet and its users to solve any of these cyber issues. Various actors on the internet must take responsibility, often in collaboration with others, taking into account the fundamental values and properties that underpin the Open Internet. We call this approach the collaborative security approach. For now, it is sufficient to realise that security of the Internet depends on many actors taking responsibility. In this post, I look at this attack through the lens of the internet ‘as a system’, and I identify one success, share one observation, talk a failure, and outline an agenda that we must adopt.

The success lies in the collaborative nature of how Dyn worked with others to mitigate the attack.

As mentioned in their statement, Dyn had to work with the technical community to mitigate the attack. My speculations will not be far off if I say that this must have involved work with network operators, computer security specialists, law enforcement, computer security incident response teams, DNS providers, and their customers. Given the size and scale of the attack, I see their reactive work as a testament to the effectiveness of the coordination. So, kudos to Dyn for thwarting the attack even though, metaphorically, this is the success of a fire truck arriving on time and limiting damage and not a success of preventing the fire in the first place.

We should not take the sort of collaboration that happened here for granted. These sort of attacks can only be stopped when network operators collaborate to address issues that are not exclusively impacting their own network (the firemen from other areas coming to aid). At the Internet Society our Routing Manifesto, or MANRS, initiative speaks to just that: We are growing the community that commits to taking measures against certain types of attacks and takes action that allows for effective collaboration. MANRS acts as a signal to customers that they are dealing with an entity that understands their responsibility. I’ll get back to signalling below.

The observation.

One of the benefits of having a site’s DNS service managed by one or a few consolidated companies is that specialist expertise can be outsourced and these few organisations can efficiently deal with problems quickly. However, it also means that chokepoints are created and those few managed DNS service providers are becoming very big targets. The failure lies herein that the target painted seems to have become too big, and many major companies and websites now share their fate with these consolidated DNS providers. Given that one of the services often offered by DNS service providers is load balancing, untangling these hefty integrations may be a bit tricky. But since some companies and websites got a real hit last week, I think there may be some market-driven evolution in this space.

Now for the failure: Why is it that we are shipping an Internet of Things (IoT) that is so insecure?

These types of attacks depend on malicious software (usually referred to as “bot,” from robot) being installed on various devices that connect to the internet. The installation can happen because users (accidentally) open links that download software or because devices are open to attack from the internet. There are some actors involved here. Any device—a computer, a phone, or an IoT thing—is made out of a large number of software components. When bugs are discovered in the software, the fixes need to make their way into the software and then onto the devices. There is a lot of collaborative effort in identifying the problems, and creating and distributing the fixes. In involves processes like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies. It also, somewhat, unfortunately, involves the actions of end-users since they need to pay attention that they change the default password on the camera, printer, or car they just bought.

So from this follows an agenda. Inspired by the IoT Security Questions from our Internet of Things Overview, we need to get to a point where:

  • Producers follow, and share, good design practices;
  • For every product sold there is a way that security researchers can responsibly disclose vulnerabilities found;
  • Producers can fix, or patch, these vulnerabilities during the lifetime of the device (Field Upgradability);
  • We clearly understand what happens if the product, or the supporting producers, reach end-of-life (Device Obsolescence);
  • Consumers can make informed choices based on these properties (Cost vs. Security trade-offs);
  • Data that IoT devices collect are protected and dealt with in privacy-honoring ways (Data Confidentiality and Access Control); and
  • Those who go about device security in an irresponsible way get penalised.

This is not a trivial agenda.

Take, for instance, consumers making informed choices. While consumers may care about their devices being hacked and used against them, they usually do not know that their camera may be used to bring down the Internet, so the latter isn’t part of their purchasing decision and hence an afterthought for the producers. These types of issues can be resolved through signalling mechanisms that indicate devices have at least minimal security. Getting to these signalling mechanisms could be done by consorted industry action, but may also involve regulation.

The fact that Internet of Things security is riddled with cases where manufacturers do not incur costs for any lack of security, and the fact that the global industry ships devices without having good answers for questions like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies makes for a rather toxic mix.

We are shipping a lot of Things, so these issues need to be taken head-on with urgency. However, not through a central authority, but by consumers, producers, researchers and regulators coming up with mechanisms that allow the internet to remain open. There are multiple examples of communities taking responsibility and trying to move the needle. Let me name a few that I encountered in the past weeks:

The fact that many organisations are looking at several pieces of the agenda is reassuring; that means that good solutions will surface. Solutions that are relevant in the context in which they will need to be applied. The call to action is to get involved. To take your piece of the agenda and address that piece that you, as a consumer, as a producer, as an insurer, as a stock broker, or as a regulator can address. Together in collaboration, bring your expertise.

In the Dyn blog that reports on the DDoS attack, Kyle York says: “It is said that eternal vigilance is the price of liberty.

I believe that quote is central to the collaborative security approach. It implies that we collectively need to work to keep the Internet open, that sometimes we will feel the pain of openness—for this attack will probably not be the last one—and that most importantly the open Internet brings liberty.

Note: an earlier version of this post appeared on the Internet Society blog

By Olaf Kolkman, Principal Internet Technology, Policy, and Advocacy

Filed Under

Comments

IoT security through the new brand Top-Level Domains (TLDs) Andre Forrester  –  Oct 25, 2016 4:13 PM

Hi Olaf - Thanks for this post. I appreciate your stoic approach and you mention a lot of important issues related to continuing the freedom we take for granted in using the Internet today. I work with a domain intelligence company. We have explored with another IoT firm, how the new brand TLDs (.honeywell, .bmw, .chrysler etc.), delegated at the root of the Internet, can improve the security of IoT networks and connected devices. My CTO, if he has time, will be writing a piece on this shortly. Thanks again! Here’s to Eternal Vigilance! Andre.

Thank you for your post. I am Charles Christopher  –  Oct 26, 2016 3:19 AM

Thank you for your post. I am very pleased to see comments such as:

“It is said that eternal vigilance is the price of liberty” and “that most importantly the open Internet brings liberty.”

In such a discussion, be it the internet, or stopping at a supermarket late at night, we are responsible for ourselves. And along that line I think this sentence is very important:

“However, it also means that chokepoints are created and those few managed DNS service providers are becoming very big targets. “

In addition to the stated agenda to improve and maintain security of mass market devices (“IOT”), we also need to address the creation of nice targets for them. To the extent possible DNS service providers need to decentralize, and domain registrants should remember DNS allows 13 name servers. I would suggest reducing “Chokepoints” via decentralization/redundancy/multiple providers needs to be part of the Agenda. Services most likely to be targets should decentralize as much as possible to make successful attacks harder.

“Notice that the stiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind.”
- Bruce Lee

“Nothing new, under the sun”
- Solomon

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

NordVPN Promotion